Oauth Status PagesWeb Authorization Protocol (Active WG) |
Sec Area: Roman Danyliw, Benjamin Kaduk | 2009-May-13 —
Chairs: ![]() ![]() ![]() |
2020-05-10 charter
Web Authorization Protocol (oauth) ---------------------------------- Charter Current Status: Active Chairs: Hannes Tschofenig <Hannes.Tschofenig@gmx.net> Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> Security Area Directors: Roman Danyliw <rdd@cert.org> Benjamin Kaduk <kaduk@mit.edu> Security Area Advisor: Roman Danyliw <rdd@cert.org> Mailing Lists: General Discussion: oauth@ietf.org To Subscribe: https://www.ietf.org/mailman/listinfo/oauth Archive: https://mailarchive.ietf.org/arch/browse/oauth/ Description of Working Group: The Web Authorization (OAuth) protocol allows a user to grant a third-party web site or application access to the user's protected resources, without necessarily revealing their long-term credentials, or even their identity. For example, a photo-sharing site that supports OAuth could allow its users to use a third-party printing web site to print their private pictures, without allowing the printing site to gain full control of the user's account and without having the user share his or her photo-sharing sites' long-term credential with the printing site. The OAuth 2.0 protocol suite already includes * a procedure for enabling a client to register with an authorization server, * a protocol for obtaining authorization tokens from an authorization server with the resource owner's consent, and * protocols for presenting these authorization tokens to protected resources for access to a resource. This protocol suite has been enhanced with functionality for interworking with legacy identity infrastructure (such as SAML), token revocation, token exchange, dynamic client registration, token introspection, a standardized token format with the JSON Web Token, and specifications that mitigate security attacks, such as Proof Key for Code Exchange. The ongoing standardization efforts within the OAuth working group focus on increasing interoperability of OAuth deployments and to improve security. More specifically, the working group is defining proof of possession tokens, developing a discovery mechanism, providing guidance for the use of OAuth with native apps, re-introducing the device flow used by devices with limited user interfaces, additional security enhancements for clients communicating with multiple service providers, definition of claims used with JSON Web Tokens, techniques to mitigate open redirector attacks, as well as guidance on encoding state information. For feedback and discussion about our specifications please subscribe to our public mailing list at <oauth AT ietf.org>. For security related bug reports that relate to our specifications please contact <oauth-security-reports AT ietf.org>. If the reported bug report turns out to be implementation-specific we will attempt to forward it to the appropriate developers. Goals and Milestones: Apr 2017 - Submit 'OAuth 2.0 Device Flow' to the IESG May 2017 - Submit 'OAuth 2.0 Token Exchange' to the IESG for consideration as a Proposed Standard Jul 2017 - Submit 'OAuth 2.0 Mix-Up Mitigation'to the IESG Jul 2017 - Submit 'OAuth 2.0 Security: Closing Open Redirectors in OAuth' to the IESG Jul 2017 - Submit 'OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key Distribution' to the IESG Jul 2017 - Submit 'A Method for Signing HTTP Requests for OAuth' to IESG Done - Submit 'OAuth 2.0 Proof-of-Possession (PoP) Security Architecture' to the IESG Done - Submit 'Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)' to the IESG Done - Submit 'Request by JWS ver.1.0 for OAuth 2.0' to the IESG for consideration as a Proposed Standard Done - Submit 'Authentication Method Reference Values' to the IESG Done - Submit 'OAuth 2.0 for Native Apps' to the IESG Done - Submit 'OAuth 2.0 Authorization Server Discovery Metadata' to the IESG
All charter page changes, including changes to draft-list, rfc-list and milestones: